feat(event-hub): add validation permissions (SSPROD-45861) (#70)

matteopasa · web-flow · commit b05c27b3d7ee · 2025-04-17T11:06:22.000+02:00
* add monitoring reader role

* add reader permission

* add Monitoring Reader role

* change resource name
diff --git a/modules/integrations/event-hub/main.tf b/modules/integrations/event-hub/main.tf
@@ -117,6 +117,24 @@ resource "azurerm_role_assignment" "sysdig_data_receiver" {
   principal_id         = azuread_service_principal.sysdig_event_hub_sp.object_id
 }
 
+#---------------------------------------------------------------------------------------------
+# Assign "Reader" role to Sysdig SP at subscription level to check resource existence
+#---------------------------------------------------------------------------------------------
+resource "azurerm_role_assignment" "sysdig_subscription_reader" {
+  scope                = data.azurerm_subscription.sysdig_subscription.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.sysdig_event_hub_sp.object_id
+}
+
+#---------------------------------------------------------------------------------------------
+# Assign "Monitoring Reader" role to Sysdig SP at subscription level to check resource health
+#---------------------------------------------------------------------------------------------
+resource "azurerm_role_assignment" "sysdig_subscription_monitoring_reader" {
+  scope                = data.azurerm_subscription.sysdig_subscription.id
+  role_definition_name = "Monitoring Reader"
+  principal_id         = azuread_service_principal.sysdig_event_hub_sp.object_id
+}
+
 #---------------------------------------------------------------------------------------------
 # Create diagnostic settings for the subscription
 #---------------------------------------------------------------------------------------------
